| 1 |
On Tue, Jul 29, 2008 at 08:51:45PM +0100, Mike Auty wrote: |
| 2 |
> In this Glep (xx+1), in the section discussing the procedure for |
| 3 |
> creating a MetaManifest file, in step 3.3, does that include |
| 4 |
> verification of the manifest's signature if it has one? It would seem |
| 5 |
> odd to ignore the signature if it's wrong (I'm not sure about the case |
| 6 |
> if a signature isn't present). I also don't know how this would then be |
| 7 |
> handled (a complete abort, or ignoring the latest changeset to that |
| 8 |
> ebuild?). |
| 9 |
It doesn't care whatsoever about signatures inside Manifests. |
| 10 |
That's because there's no difference between a Manifest that isn't |
| 11 |
signed by a developer, and a Manifest that is developer-signed but any |
| 12 |
master signature on the developer has been revoked. |
| 13 |
It's also totally impossible to just block a changeset at the moment |
| 14 |
like that, even if we had Git. |
| 15 |
|
| 16 |
> If the signature check happened here, it could also allow for |
| 17 |
> enforcable revocation of developer certificates (once they're revoked, |
| 18 |
> any signed manifests will have the ebuild changes ignored). That may be |
| 19 |
> a lot of work and may take too long, but if not (and depending on our |
| 20 |
> users' trust needs), it might allow them just to check the |
| 21 |
> MetaManifest's signature, and not that of the individual packages. Does |
| 22 |
> that seems sensible? |
| 23 |
They don't need to check the signatures of the individual packages |
| 24 |
unless they are really paranoid anyway. You've missed one of the key |
| 25 |
points of MetaManifest: |
| 26 |
It defends ONLY the path from the Gentoo infrastructure to the users. |
| 27 |
|
| 28 |
P.S, you don't need to CC me. |
| 29 |
|
| 30 |
-- |
| 31 |
Robin Hugh Johnson |
| 32 |
Gentoo Linux Developer & Infra Guy |
| 33 |
E-Mail : robbat2@g.o |
| 34 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives